Ninth Circuit Mostly Eliminates Private-Sector Workplace Privacy Rights in Computers:
This is a very long blog post in response to a troubling new Fourth Amendment decision handed down by the Ninth Circuit yesterday, United States v. Ziegler. It's a long post because the issues are both very important and very complicated, and the only way to show the problems with the decision is to do it in a fairly detailed way. I think the post is worth the payoff; the stakes of the case are potentially enormous, so the court's wrong turn is worth explaining in depth.

First, some background. One of the tricky aspects of Fourth Amendment law is the distinction between the Fourth Amendment protection of government employees and private sector employees. The basic rule for the private sector is that employees have privacy rights at work unless their work space is completely open to the public, with the caveat that their employer can consent to a search of spaces that are not open to the public.

The rules for government employment are totally different, thanks to the Supreme Court's somewhat odd decision in O'Connor v. Ortega. In that case, the Supreme Court created a sui generis, split-the-baby-in-half regime for government employee Fourth Amendment rights (announced in a plurality opinion by, you guessed it, Justice O'Connor). Under the O'Connor framework for government employee privacy, Fourth Amendment protections in the government workplace hinge on whether the workspace is shared with other employees, or whether the employer has enacted legitimate workplace policies that define privacy rights. The result is that government employees have much less Fourth Amendment protection than private sector employees, with the caveat that government employers cannot consent to a search while private sector employers can. (For more on this, and all the relevant case citations, see the chapter on it in the Justice Department manual on Searching and Seizing Computers that I wrote in '99-'01.)

With that background in mind, it's a little painful to read yesterday's opinion by the Ninth Circuit in United States v. Ziegler. Ziegler was an employee of a company called Frontline Processing, described in the opinion as "a company that services Internet merchants by processing on-line electronic payments" in Bozeman, Montana. Ziegler downloaded some child pornography to his computer at work, and his employer, in an effort to help out the FBI, went into Ziegler's office and copied his computer to give to the FBI. The computer contained child pornography, leading to charrges. Ziegler then filed a motion to suppress, arguing that he had a reasonable expectation of privacy on his workplace computer that was violated by the government-directed search.

The correct way to resolve this case would have been to say that of course Ziegler had a reasonable expectation of privacy in the contents of his private-sector office, see Mancusi v. DeForte, 392 U.S. 364 (1968), including the computer in his office. Then the court should have turned to whether the search was either a private search or else a reasonable warrantless search pursuant to the employer's valid third-party consent. Unfortunately, however, it seems that no one realized that private-sector Fourth Amendment privacy rights are so different from public-sector Fourth Amendment privacy rights. The defense attorney apparently didn't notice the difference, and it seems that the AUSA didn't either. (I couln't find the briefs on Westlaw, but the opinions summarize the parties' positions.) [UPDATE: I have now read the appellant's brief. It has all of five pages of analysis, and it didn't see the public/private distinction at all.] And the failure to understand this basic distinction in Fourth Amendment law then worked its way up the line, with apparently no one stepping back and noticing that you couldn't rely on the public sector Fourth Amendment cases to analyze whether a private-sector employee has a reasonbable expectation of privacy at work.

The unfortunate result is an opinion that makes a quite clearly incorrect conclusion that private-sector employees do not have a reasonable expectation of privacy in the workplace computers in their offices when the employer has access rights to the machine. The Court based its holding primarily by analogy to United States v. Simons, a Fourth Circuit case imvolving a federal government agency search:

In United States v. Simons, the case upon which the district court relied, the Fourth Circuit reasoned that an employer's Internet-usage policy—which required that employees use the Internet only for official business and informed employees that the employer would "conduct electronic audits to ensure compliance," including the use of a firewall— defeated any expectation of privacy in "the record or fruits of [one's] Internet use." 206 F.3d at 395, 398. A supervisor had reviewed "hits" originating from Simons's computer via the firewall, had viewed one of the websites listed, and copied all of the files from the hard drive. Id. at 396. Despite that the computer was located in Simons's office, the court held that the "policy placed employees on notice that they could not reasonably expect that their Internet activity would be private." Id. at 398. As the government suggests, similar circumstances inform our decision in this case. Though each Frontline computer required its employee to use an individual log-in, Schneider and other IT-department employees "had complete administrative access to anybody's machine." As noted, the company had also installed a firewall, which, according to Schneider, is "a program that monitors Internet traffic . . . from within the organization to make sure nobody is visiting any sites that might be unprofessional." Monitoring was therefore routine, and the IT department reviewed the log created by the firewall "[o]n a regular basis," sometimes daily if Internet traffic was high enough to warrant it. Upon their hiring, Frontline employees were apprised of the company's monitoring efforts through training and an employment manual, and they were told that the computers were company-owned and not to be used for activities of a personal nature. Ziegler, who has the burden of establishing a reasonable expectation of privacy, presented no evidence in contradiction of any of these practices. Like Simons, he "does not assert that he was unaware of, or that he had not consented to, the Internet [and computer] policy." Simons, 206 F.3d at 398 n.8.

There are a bunch of problems in this section. To begin with, this is a very unpersuasive reading of Simons. The court conveniently doesn't mention this, but in Simons the Fourth Circuit held that the employee did have a reasonable expectation of privacy that was violated by physical entry to the office to get the physical machine. The court only permitted the search of the computer after holding that it was a reasonable search under the "special needs" exception as adopted by O'Connor v. Ortega. The part mentioned above was only about remote monitoring that preceded the physical entry. Here's what the Simons court said about the phsyical entry to Simons' office:

Here, Simons has shown that he had an office that he did not share. As noted above, the operational realities of Simons' workplace may have diminished his legitimate privacy expectations. However, there is no evidence in the record of any workplace practices, procedures, or regulations that had such an effect. [FN: The Internet policy did not render Simons' expectation of privacy in his office unreasonable. * * * ] We therefore conclude that, on this record, Simons possessed a legitimate expectation of privacy in his office.

Simons, 206 F.3d at 399.

The Ziegler court seems to say in a footnote that this case is different because it involved a computer. In footnote 9, the court suggests that entering the office to search a computer is a search of the computer but not a search of the office. ("Although an employee may have a legitimate expectation of privacy in his office, here the Frontline employees did not actually search Ziegler's office.") This makes no sense, as everything in an office is an item separate from the office; if this rationale were valid, then you could never search an office, just stuff in an office.

But I digress, so let me get back to the really important stuff. The Ziegler court seems unconcerned that Simons was a government search decided under O'Connor v. Ortega, rather than a private sector search that should be analyzed under Mancusi v. DeForte. So the Court makes its (unpersuasive) analogy to a decision that rested on the framework of government employee rights, apparently applying the low-protection government framework to what used to be the higher-protection private-sector framework. The end-result: the relatively high level of protection that private sector employees have in their computer hard drives are dropped to the low level of protection that government employees have. Not good.

There is one paragraph in the Zeigler opinion that at least suggests an awareness that there might be some difference between public and private employee Fourth Amendment rights. Here it is:

Other courts have scrutinized searches of workplace computers in both the public and private context, and they have consistently held that an employer's policy of routine monitoring is among the factors that may preclude an objectively reasonable expectation of privacy. See Biby v. Bd. of Regents, 419 F.3d 845, 850-51 (8th Cir. 2005) (holding that no reasonable expectation of privacy existed where a policy reserved the employer's right to search an employee's computer for a legitimate reason); United States v. Thorn, 375 F.3d 679, 683 (8th Cir. 2004), cert. granted and judgment vacated on other grounds by 543 U.S. 1112 (2005) (holding that a public agency's computer-use policy, which prohibited accessing sexual images, expressly denied employees any personal privacy rights in the use of the computer systems, and provided the employer the right to access any computer in order to audit its use, precluded any reasonable expectation of privacy); United States v. Angevine, 281 F.3d 1130, 1133-35 (10th Cir. 2002) (holding that the employer's computer-use policy, which included monitoring and claimed a right of access to equipment, and the employer's ownership of the computers defeated any reasonable expectation of privacy); Muick v. Glenayre Electronics, 280 F.3d 741, 743 (7th Cir. 2002) ("Glenayre had announced that it could inspect the laptops that it furnished for the use of its employees, and this destroyed any reasonable expectation of privacy . . . ."); Wasson v. Sonoma County Jr. Coll. Dist., 4 F. Supp. 2d 893, 905-06 (N.D. Cal. 1997) (holding that a policy giving the employer "the right to access all information stored on [the employer's] computers" defeated an expectation of privacy).

Notably, however, almost all of the cases in this strong cite are public sector cases, not private sector cases. The one private sector case on the list is Judge Posner's opinion in Muick v. Glenayre Electronics. But Muick is a bit of an analytical disaster. Here is an excerpt from a case summary I wrote on the case soon after it came out:

With all due repect to Judge Posner, his breezy opinion largely ignores the applicable law on several fronts, and although he reaches the right result, he does so for the wrong reasons. First, Posner gets the agency inquiry pretty clearly wrong. The FBI's request for the store to hold the computer on its behalf almost certainly makes the store a state actor for 4th Amendment purposes: the fact that the employer was acting "selfishly" doesn't mean it wasn't acting at the FBI's behest.

Second, Posner ignores the fact that all of the cases he relies on for his third rationale are government employment cases, and that the store was not a government employer. The Supreme Court in O'Connor v. Ortega created a special 4th Amendment standard for the government workplace, and under that standard notice alone can eliminate a "reasonable expectation of privacy." However, these cases aren't applicable to private employers such as the store, so notice alone should not be enough to eliminate privacy rights there.

* * * [T]he court should have stopped after the first rationale and not offered confusing and misleading alternative holdings on the Fourth Amendment when it didn't need to do so to resolve the case.

Finally, just to add to the confusion here, the Ziegler court has a long discussion analyzing and ultimately endorsing a California appellate court decision, TBG Ins. Services Corp. v. Superior Court, 117 Cal. Rptr.2d 155, 96 Cal.App. 4th 443 (Cal. Ct. App.2002), which had a long involved discussion of expectations of privacy and social norms in computers. But the Ziegler opinion once again seems not to notice a doctrinal category error: the TBG Ins. Services Corp. case is not a Fourth Amendment opinion. Rather, it is a decision under Article I, section I, of the California Constitution, which provides: "All people are by nature free and independent and have inalienable rights. Among these are enjoying and defending life and liberty, acquiring, possessing, and protecting property, and pursuing and obtaining safety, happiness, and privacy." It turns out that the California courts use the "reasonable expectation of privacy" framework in that context, too, but it seems to have a different meaning than the same phrase has in the Fourth Amendment context. (This is not uncommon, actually. The phrase "reasonable expectation of privacy" is used in the context of privacy torts, as well as in the legal ethics area in the context of attorney-client privilege, and it has a different meaning in each context. As a result, you can't lift the interpretation of "reasonable expectation of priuvacy" from one context and use it in another context.)

Okay, so by now you're wondering, what difference does it make? If you analyze this case under the private-sector framework, you still will reach the same result because the employer had "common authority" to search the computer, right? Off the top of my head, yes, I think that's right. But the framework announced in Ziegler will still make an enormous difference in lots of other cases. Under the Fourth Amendment, private-sector employees have traditionally enjoyed Fourth Amendment protection in the contents of their offices, including in their office computers. The police can't just barge in to your office and rifle through your desktop computer. Instead, the police need either to get a warrant or to go your employer and ask for the employer's permission to conduct the search. But if private-sector employees have no reasonable expectation of privacy in the hard drives of their office computers, it means that the police don't need to get the boss's permission first. The police can pick an office known to have a computer access policy and simply barge in and grab any computers they want. And they can do this even over the objection of all the employees and the boss. The boss might have a civil claim against the government, but the employee won't have any rights at all; under the Ziegler opinion, the employee has no reasonable expectation of privacy in the contents of his computer.

The Supreme Court created a special framework for public-sector searches because in that context there's no Fourth Amendment difference between the boss and the police: they're all "the government" for Fourth Amendment purposes. But I think it's important not to let that different framework created for the specific needs of public-sector workplaces bleed over into the private sector. As tricky as these doctrinal distinctions are (and they really are pretty tricky, I think), a great deal of privacy protection hinges on keeping them straight.

Petition for Rehearing in United States v. Ziegler:
A few weeks ago, I posted a very long entry about a troubling Fourth Amendment decision from the Ninth Circuit, United States v. Ziegler, which held that a private sector employee has no Fourth Amendment rights in his computer against government surveillance if his employer has a workplace monitoring policy in effect or otherwise has acccess to the computer. As I explained in my earlier post, this is incorrect, and incorrect in a way that has really important and very troubling long-term consequences.

The last development in the case is that counsel for Ziegler has filed a petition for rehearing (.pdf), explaining the panel's error and asking the panel or the full Court to rehear the case. I very much hope the Ninth Circuit grants the petition: My sense is that the initial panel simply misunderstood a very complex doctrinal area, and that the panel didn't fully realize the impact of the decision or how much it conflicts with other cases in this area. (Full disclosure: following my initial blog post on the case, I contacted Ziegler's attorney and have discussed the case with him.)

Of course, rehearing in any case is a bit of an uphill battle. Appellate courts get a lot of petitions for rehearing, and it can be hard to predict which petitions are likely to grab the court's attention. In any event, I hope this one does.

The government's brief reflects a basic misunderstanding of the Fourth Amendment, and in particular the meaning of the reasonable expectation of privacy test. The government's brief assumes that a reasonable expectation of privacy is all about what I have elsewhere termed the probabilistic model — that is, the chances that something will remain private. Thus, the government imagines, whether a person has a reasonable expectation of privacy is inherently fact-sensitive, and all you need to do is look to the very specific circumstances and see if based on the context it was reasonable for someone to expect privacy. From that perspective, whether a case involves (say) government or private-sector employment is only relevant to the extent actual workplace policies are different.

But that's simply not how the Fourth Amendment works. The "reasonable expectation of privacy" test is actually a system of localized rules: the phrase is simply a label, and what it actually means depends on the specific context as determined by the Supreme Court's cases. The Supreme Court has decided dozens of cases interpreting the reasonable expectation of privacy test, and those cases offer specific interpretations for lower courts to use. As a result, the actual meaning of the Fourth Amendment is highly localized: "reasonable expectation of privacy" means different things in different contexts, and usually has nothing to do with the probability that a reasonable person would expect something to remain private.

That difference is critical here, because the Supreme Court has handed down different localized rules for Fourth Amendment rights in a public employment context and in a private employment context. I realize it seems strange at first, but it's basic hornbook law: the doctrinal test for whether there is a "reasonable expectation of privacy" in a private workplace is simply different from the test in a public-sector workplace. It's not because the workplaces are inherently different, but because the U.S. Supreme Court has decided to regulate the two environments using different legal rules. In a nutshell, the private sector rule is that there is an REP unless the workplace is open to the public; in the public sector, there is no REP unless the employee is afforded a space that is not shared by other employees or subject to regular access by other employees. Two different contexts, two different legal rules.

(Incidentally, if you're interested in learning more about this, I should have a new draft up in about 2 weeks explaining exactly how the Supreme Court uses these different tests to create localized Fourth Amendment rules, all under the "reasonable expectation of privacy" rubric. Stay tuned.)

New Ninth Circuit Decision in Ziegler:
I'm pleased to report that today the Ninth Circuit changed course in the Ziegler case that I've mentioned here a few times. This is the case holding that a private sector employee lacked a reasonable expectation of privacy in his workplace computer because the employer had access rights to the machine. Today the original panel granted the petition for rehearing and substituted a new opinion for the earlier one. The new opinion is available here.

The new opinion gets it right: it concludes that the employee had a reasonable expectation of privacy in the machine, but that the employer had the right to consent to the government's search under third-party consent principles. The end result is the same — the evidence is admissible — but the reasoning is very different. Here's the new section holding that the employee had a reasonable expectation of privacy in his machine:

The seminal case addressing the reasonable expectations of private employees in the workplace is Mancusi v. DeForte, 392 U.S. 364 (1968). In Mancusi, the Supreme Court addressed whether a union employee had a legitimate expectation of privacy, and therefore Fourth Amendment standing, in the contents of records that he stored in an office that he shared with several other union officials. The Court held that DeForte had standing to object to the search and that the search was unreasonable, noting that it was clear that "if DeForte had occupied a 'private' office in the union headquarters, and union records had been seized from a desk or a filing cabinet in that office, he would have had standing." Id. at 369. That was so because he could expect that he would not be disturbed except by business or personal invitees and that the records would not be taken except with the permission of his supervisors. Id. The Court thought the fact that the office was shared with a few other individuals to be of no constitutional distinction. Mancusi compels us to recognize that in the private employer context, employees retain at least some expectation of privacy in their offices. Id. See also Ortega v. O'Connor, 480 U.S. 709, 716 (1987) (noting that in Mancusi "this Court . . . recognized that employees may have a reasonable expectation of privacy against intrusions by police."); id. at 730 (Scalia, J., concurring) ("In Mancusi v. DeForte, we held that a union employee had Fourth Amendment rights with regard to an office at union headquarters that he shared with two other employees, even though we acknowledged that those other employees, their personal or business guests, and (implicitly) 'union higher-ups' could enter the office.") (internal citations omitted).

I'm not exactly sure what it means to possess "some" expectation of privacy, as either a reasonable expectation of privacy exists or it doesn't. But the opinion later makes clear that Ziegler did in fact have a reasonable expectation of privacy in his office machine. That's the key holding, and I think it's clearly right (and important, too, for the reasons mentioned in my earlier blogging).

Rehearing Denied in Ziegler:
I confess I lost interest in the United States v. Ziegler case after the panel changed course and reversed its holding on the reasonable expectation of privacy in computers in the private-sector workplace. Decisions applying the Fourth Amendment to computers seem to be falling out of the trees these days, and the panel's second ruling on third-party consent was pretty fact-bound. However, it turns out that a bunch of Ninth Circuit Judges were still paying very close attention to the case. Check out the opinion dissenting from rehearing en banc by Willie Fletcher joined by Pregerson, Reinhardt, Kozinski, Hawkins, Thomas, McKeown, Wardlaw, Fisher, Paez, and Berzon, a.k.a. "the Libs + The Easy Rider." Judge Kozinski also filed a very heated separate dissent (albeit one that misspells "rehearing" in the title).